Method and System for Managing Secure Sharing of Private Information Across Security Domains Using an Authorization Profile

ABSTRACT

In a method of granting a user in a first organization access to private information stored within an authorization profile of a second organization, an access agreement between the two organizations is formed. Authorization is requested for the user, the authorization profile is retrieved, and authorization to private information is granted if authorized by the access agreement. 
     In a method of authorizing access by users to private information stored by an organization as associated with a program, three types of caseloads are defined. The first authorizes access to information of a first individual of a first program, the second authorizes access to information of a second individual of all programs, and the third authorizes access to information of all individuals of a second program. 
     Authorization is requested for the user to access one or more of the caseloads, and access to one or more caseloads is granted to the user.

FIELD

Embodiments of the invention relate to managing secure sharing ofprivate information across security domains. This is widely applicable,and is especially critical to healthcare applications to comply withHealth Insurance Portability and Accountability Act of 1996 (“HIPAA”)—aset of standards and requirements for the electronic transmission ofcertain health information implemented to increase the efficiency andeffectiveness of the health care system; this is particularlychallenging for Individuals with developmental disabilities (DD).Embodiments of the invention are also applicable with respect to otherregulations—for example, financial services regulations—as well as otherlaws, standards, and policies—for example, proprietary information fordifferent portions of a project. The uniqueness in embodiments of thisinvention is in its ability to share information among authorized usersacross different organizations and security domains, without requiringdirect contact among security administrators in different domains, andyet still complying with security requirements.

BACKGROUND

In applications requiring privacy or security of electronic information,the state of the art is using rule-based security access, with a varietyof recognition systems for each user. Unfortunately, this does notinclude a system for maintaining the security of information when it iselectronically shared among different security domains.

Typically, information may be shared securely among organizations inpaper format because of a lack of compatible electronic formats andappropriate privacy and security systems. The desired information may bephysically copied and delivered. This makes it prone to delays, missinginformation, unregistered users, lack of clarity of what information isauthorized to be transmitted, and unauthorized access by differentpeople. All these are challenges with the current physical system incomplying with security protocols.

As stated in the HIPAA regulations, rule-based security systems withpasswords is the target practice. These systems are widely usedthroughout the government and industry. However they do not address howto actively share information across security domains managedseparately. In many hospitals, the combination of being unable topredict who may need to provide care, especially in an emergency, andthe challenges of maintaining a variety of accounts and passwords, eachwith limited access, results in each doctor and health professionalbeing provided with access to all patients' information throughout theinstitution. These practices may expose healthcare providers topotential liability for not properly protecting sensitive Individualhealth information.

This is particularly challenging for Individuals with DevelopmentalDisabilities, which are lifelong conditions with varying degrees ofimpairments. Individuals are often subject to more medical and otherhealth conditions, and may have more emergencies. They may have othersdesignated to act on their behalf in various capacities includingmedical, financial, and legal. Access to Personal Health Information(“PHI”) about health and related conditions is strictly regulated byHIPAA and other state and federal regulations, which complicatesproviding support and services.

Care and support for Individuals with Developmental Disabilities isoften distributed among many people and organizations, includingParents, service providers, doctors and other health professionals,volunteers, and case managers and others appointed by various fundingand regulatory jurisdictions. The responsibilities and privileges ofdifferent users (ranging from Parents or Guardians to health careprofessionals and staff members) may differ by funding sources andorganizational structures, and thus a flexible system for determiningwho has access to what information is essential. For example, often anorganization providing support to an Individual may have differentgroups with separate staff to provide different functions, and thusprocesses may be used to control who has access to what information byapplication and Individual; also a staff member with specializedcapabilities, such as a behaviorist, has responsibilities that cutacross other organizational boundaries and serve one or a fewIndividuals out of each grouping. Individuals often change theorganizations which provide support for them and thus users wish to beprovided access to appropriate information covering past conditions andsituations from other organizations. HIPAA and other regulations requestthat Individuals and their agents be able to update their PHI records.Changes in information may need to be shared and maintained among arange of people and authorities over many decades.

In the face of such challenges it becomes difficult for care providersto manage privacy and security of information and communications aboutthe Individuals they serve, particularly in accordance with HIPAAregulations. Such limitations urgently call for a system that canfacilitate secure entry, access, sharing, updating, storage, andmanagement of information about an Individual.

Similar situations exist in many other industries. Banking and creditwhere many different organizations use and create information aboutpeople with a critical need for security and privacy. Proprietaryinformation within and among organizations regarding productdevelopment, marketing, sales, and other areas of operations alsobenefit from such a system.

SUMMARY

Embodiments of the invention provide systems for managing inter-domain(among multiple security domains) and intra-domain (within the securitydomain) sharing of secure information intended to meet security andprivacy regulations. Embodiments of this invention may have applicationsfor sharing and managing, inter alfa, PHI across and withinorganizations in the Developmental Disability community, in compliancewith HIPAA and other regulations and security procedures.

Embodiments of this system ensure that Individual information issecurely stored, eliminating the risk of loss of information. It allowsusers to record Individual information to a database making theinformation securely available any time, anywhere to users who haveauthorization to access the information, including special provisionsfor emergencies. Users in different security domains may accessinformation and perform actions depending on the roles and privilegesassigned by the administrators in all the relevant security domains.

Embodiments of the system disclosed in this document provide ways ofsharing private health information and ensuring a means to restrict anyunauthorized access or sharing of such information across differentsecurity domains, so that each security manager is responsible for usersin their own domain, and yet may specify the level of access for usersin other domains.

Accomplishing this involves algorithms to assure that any sharing isappropriately authorized, that Individuals are correctly matched amongsecurity domains, that emergency access is provided appropriately, thatarchived information is appropriately managed, and that all accesses andchanges are tracked in accordance with security requirements.

According to one embodiment of this invention, the Individual or theirGuardian may be given control of the information by being the PrimarySecurity Domain and controlling the Archived information. The Individualor their Guardian may then manage who has access to information, who maystore it, and may even update it.

BRIEF DESCRIPTION OF THE FIGURES

FIG. 1 illustrates an overview of embodiments of the disclosed system ofmanaging Secure Sharing of Private Information Across Security Domains.

FIG. 2 illustrates embodiments of the Individual/Parent/Guardian PrivateInformation Authorization Process.

FIG. 3 illustrates embodiments of the Regulator or Funder ServiceAuthorization Process.

FIG. 3 a is a sample screenshot of a Regulator or Funder ServiceAuthorization

Form

FIG. 4 illustrates embodiments of the Mutual Business Agreement Process.

FIG. 5 illustrates embodiments of the system for Matching CommonIndividual Process.

FIG. 5 a is a sample of an Individual Data Form screenshot.

FIG. 6 illustrates embodiments of the system called Caseloads whichallows users to share information based on the Individual and how theinformation was created and stored.

FIG. 6 a is a sample screenshot of a page where Caseloads are defined.

FIG. 7 illustrates Security Access Roles which define the actions usersmay perform on Individual information.

FIG. 7 a is a sample screenshot of a page where Security Access Rolesare defined.

FIG. 8 is a sample screenshot of a page where Security Access Privilegesare assigned to authorized users.

FIG. 9 illustrates a Sample Physical Architecture for running anembodiment of the invention.

FIG. 10 illustrates a Sample Physical Architecture for RedundancyOperations for running an embodiment of the invention.

FIG. 11 illustrates the embodiments of the system which allow TrackingActivity across Security Domains.

FIG. 1 la is a sample screenshot of the records saved securely tofacilitate Tracking Changes in Information caused by user activities.

FIG. 12 illustrates embodiments of the Notification System whichnotifies or alerts users to changes in Individual information throughsecure and non-secure notification media.

FIG. 12 a is a screenshot of the ‘FirstPage’ from where authorized usersget notified of their required task.

FIG. 12 b is a screenshot of Notification Information that are requiredby the system in order to provide appropriate notifications toauthorized users.

FIG. 12 c is a sample of the Notification Profile screenshot whichenables alerting authorized users of activities in their authorizedservices.

FIG. 13 illustrates embodiments of the system which provide SecureAccess to Shared Archived Individual information.

FIG. 13 a is a sample of Secure Access to Shared Archived Individualinformation pages that enable authorized users to share and accessarchived data in a secure environment.

FIG. 14 illustrates embodiments of the system which provides EmergencyAccess so users can access defined Individual information in emergencysituations.

FIG. 14 a is a sample of an Emergency Data Form Role screenshot thatdisplays the individual information requested in emergency situations.

FIG. 15 is a sample of Additional Shared Security Feature screenshotthat ensure absolute privacy in sharing.

FIG. 15 a is a sample of other Additional Shared Security Features thatfacilitate information sharing by providing privacy and security.

FIG. 16 illustrates embodiments of the Security Monitoring and Auditingfor Shared Access to track the access of Individual information forprivacy and security as requested by HIPAA regulations and guidelines.

FIG. 16 a is a sample of the ‘Security Monitoring and Auditing forShared Access’ pages that enable systems to monitor and audit thesecurity for shared access.

FIG. 17 illustrates an overview of Shared System having Individual,Guardian or Parent as Primary Security Domain Manager.

DETAILED DESCRIPTION OF THE INVENTION

The disclosed system on information sharing enables users amongdifferent organizations in different security domains to access, interalfa, PHI based on rules governed by HIPAA, as well as other laws,regulations, standards, and/or policies. Information sharing for commonIndividuals may be between users in two or more organizations or withindifferent security domains in one organization.

FIG. 1 illustrates an overview the embodiments of the invention (SecureShared Information Access)

As shown in FIG. 1, Security Domains I 101 and II 102 represent twodifferent organizations. In the figure, Individual X (115 and 147)represents an Individual who is served by both organizations, SecurityDomain I 101 and Security Domain II 102. Individual X 115 may bedifferent from Individual X 147 as they represent Individual X in therespective Domains (not X themselves)

Each Security Domain may have a valid Individual, Parent, or GuardianAuthorization (UP/G A-X) (103 in Security Domain I; 105 in SecurityDomain II) to store or access private information about Individual X,and also to share information with another organization. TheIndividual/Parent/Guardian (I/P/G) 104 may provide authorization to theorganizations to access information about Individual X. Theorganizations may, optionally, receive Service Authorizations (SA-X) 106(in Security

Domain I) and 108 (in Security Domain II) from Regulators or Funders 107that define the services which may be provided for Individual X. Thesetwo organizations 101 and 102 may also enter into a Business Agreement(BA) 109 (in Security Domain I) and 111 (in Security Domain II) that maycomply with privacy, and security regulations in accordance with HIPAA,or other laws, regulations, standards, or policies. Embodiments of thisinvention include systems for assuring that these Authorizations andmutual Business Agreements 110 are appropriately executed (if theorganization executes such an agreement). Once the terms and conditionshave been agreed on, a mutual Business Agreement 110 may be formed andthe organizations may proceed to, share information on an Individualthat is supported by both, and authorized for sharing.

Central to all modes of information sharing defined by the system, isthe prior state of the art system of assigning access privileges tousers. Access privileges control users' access to specific Individualinformation. The information that may be shared and the actions that maybe performed on Individual information may depend on the accessprivileges or roles assigned to the authorized users. Users may be ableto access and share selected Individual information based on the roles.

Referring to FIG. 1, both the organizations have detailed information onIndividual X (115 and 147) in Individual Data Form I.X 121 and EmergencyData Form I.X 122 in Security Domain I 101, and Individual Data FormII.X 136 and Emergency Data Form II.X 137 in Security Domain II 102. InSecurity Domain I 101, Individual X 115 is enrolled in two servicePrograms, termed as Program I.1 112 and 1.2 117. These programs (ProgramI.1 112 and I.2 177) also represent different security domains which arewithin the same organization. The same Individual, represented asIndividual X 147 is also enrolled in Program II.1 146 in Security DomainII 102. Security Domain I 101 has a Sharing Access Profile 130 whichgoverns access from users in Security Domain II 102 Embodiments of thisinvention include systems to identify common individuals and theircorresponding health information that may be shared.

Access profiles, for example User I.A Access Profile 126, control what auser may do. The access profile is defined by a combination Caseload,for example Caseload 128, which defines what information for whichindividuals may be accessed, and by Roles, for example Role 127, whichspecify the functions which may be accessed by the user for eachapplication. The system also defines Domain II Access Profile 130 forsharing across Security Domains of various organizational boundaries.

Embodiments of this invention also include systems allowing users in oneorganization to access individual information under different securitydomains within that same organization. Such a system for augmentingprior art security management arrangements is referred to as“Caseloads,” which allow the security manager to define access protocolsand thus specify the access capabilities of the user. Caseloads may becategorized as two types: Standard Caseloads and Super Caseloads.Standard Caseloads may be mapped to:

-   (1) All the individuals in one Program, as shown, for example, in    Caseload 132 and indicated by horizontal shading for Program I.2    117;-   (2) One Individual in all Programs in the Security Domain I, as    shown in Caseload 128 and indicated by diagonal shading for    Individual X 115 in Programs I.1 112 and I.2 117.-   (3) One individual in one Program, as shown in Caseload 141 and    indicated by vertical shading for Individual X 147 in Program II.1    146;

Super Caseloads are defined as a set of Standard Caseloads. In the caseof a Super Caseload, a Standard Caseload may be added to a newly createdSuper Caseload. This means all the groups of Programs,Program-Individual pairs, and Individuals under the former StandardCaseload may now become a subset of the new Super Caseload. Moreover, ifchanges are made to the former Standard Caseload, those changes may bereflected in the new Super Caseload as well. For example, if a newIndividual is added to a Program, or an existing Individual is added toa new Program, then this automatically is incorporated in cases (1) and(3), respectively, for both the Standard Caseloads and for the SuperCaseloads including these Standard Caseloads.

The system also provides embodiments for Internal Domain Access Sharingof Individual information within an organization. Referring to FIG. 1,User I.A 129 is an authorized user in Security Domain I 101, and UserII.F 142 and User II.G- 145 are authorized users in Security Domain II102. Each may have similar or different access profiles under thesecurity domains they are in. User I.A 129 in Security Domain I 101 hasaccess privileges on Individual X 115. This means that embodiments ofthe invention allow User I.A 129 to access records 116 and 120 ofIndividual X 115 irrespective of the programs Individual X 115 isenrolled in within Security Domain I 101. That is, User I.A 129 mayaccess Record I.X.2345 116 in Program I.1 112 and Record I.X.1234 120 inProgram I.2 117 of Individual X 115. Accessibility is represented byarrows 123 and 124.

The conventional program-based security access system has a user who isassigned privileges for different programs within an organization.Individuals Z 118, Y 119 and X 115 are enrolled in Program I.2 117within the organization Security Domain I 101. Individual X 115 is alsoenrolled in Program I.1 112 along with Individual V 113 and Individual W114. User I.A 129 has been given roles 127 and access privileges forProgram I.2 117.

For example, a different user having a different Access Profile may begiven roles and access privileges only for Program I.2 117. This meansthat embodiments of the invention allow this user to access informationfor all Individuals enrolled in the Program I.2 117. In the case of UserI.A 129, apart from accessing information on Individual X 115 (RecordI.X.2345 116 in FIG. 9) in Program I.1 112, User I.A 129 can also accessthe information of Individual X 115 (Record I.X.1234 120 in FIG. 9)entered by the different user in Program I.2 117. The actions User I.A129 may perform on Individual X's information in Program I.2 117 maydepend on the union of all the Roles 127 in the Caseload 128 that havebeen assigned.

For example, User I.A 129 in Security Domain I 101 is assigned by theData

Administrator the Submit and Approve roles for a particular application.As shown in FIG. 1, User I.A 129 has been assigned the caseload 128 onIndividual X 115 enrolled in Programs I.1 112 and I.2 117. Embodimentsof this invention may ensure security by automatically checking thecontrollability of the authorized user and thus providing the user theaccess accordingly. The Submit Role may include privileges that allowauthorized users to enter, save and submit the information. Informationthat has been saved may be edited and saved again by User 1.A 129. Oncethe information has been submitted, it moves to Submitted state and theoriginator having the Submit role may no longer have access to it. Theremay be certain applications that either request or do not requestapproval from users of certain privileges to ensure that the informationentered on an Individual is accurate and meet the guidelines necessaryto serve the Individual in the organization. If the application forwhich User I.A entered information requests approval, then theinformation in Submitted state awaits for approval. The Approve roleallows the authorized User I.A to review the information and makenecessary changes. The information may again be submitted for approval,or may be directly approved by the approver. However, if the applicationfor which User I.A 129 entered information does not request approval,submitting the information for that application may result in saving itdirectly in a secure database of the system. This means that with theSubmit and Approve roles in the Caseload on Individual X 115,embodiments of this invention may allow User I.A 129 to submit andapprove information on Individual X in Programs I.1 112 and I.2 117.

With the Mutual Business Agreements 110 and Service Authorizations (SA-X106 and 108) in effect, embodiments of the invention allow both theorganizations to share information on common Individual—Individual X(115 and 147) among them. User II.F 142 in Security Domain II 102 hasprivileges to access information of Individual X 146 within SecurityDomain II 102, because the corresponding caseload 141 includesIndividual X 115. Furthermore, User II.F 142 is authorized for access toInter domain sharing, as indicated by the “shaded circle” in the AccessProfile 141 and elsewhere. The

Access Profile of Domain II 130 in Security Domain I 101 definesprivileges for users in Security Domain II 102 to access information ofcommon Individuals in Program I.2 117 of Security Domain I 101. That is,the Access Profile of Domain II 130 in Security Domain I 101 defineRoles 131 for User II.F 142, in Security Domain II 102 for sharedinformation on Individual X 115. Embodiments of the invention usesystems to determine the common Individuals 135 among the organizations.Through this system the Access Profile of Domain II 130 in SecurityDomain I 101 may allow User II.F 142 in Security Domain II 102 to haveaccess privileges on information of Individual X 115 in Program I.2 117in Security Domain I 101. The actions that may be performed on suchinformation depend on the intersection of the roles assigned to theuser, defined in the Access Profiles in security Domains I 130 &and II138. Thus, User II.F 142 in Security Domain II 102 may—through secureinformation sharing 125—have access to Record I.X.1234 120 in ProgramI.2 117 in Security Domain I 101 of Individual X 115. Embodiments of theinvention control the access and sharing of information on Individual X115 according to the regulations as agreed upon by both organizations.Thus, with respect to health information, embodiments of the inventionare conforming to the privacy and security of Individual information asrequested by the guidelines of HIPAA regulations.

Access profile of User II.G 139 in Security Domain II 102 may allow theuser to have access privileges 134 on the Archived Data 133 ofIndividual X 115, as indicated by the “shaded star” in Access Profile144 and elsewhere.

FIG. 2 illustrates embodiments of the Individual, Parent and/or GuardianPrivate Information Authorization process. In order to share privateinformation on an Individual between organizations it is essential toacquire the Individual's, Parent's or Guardian's (I/P/G 104)authorization.

With respect to Personal Healthcare Information (PHI), the conventionalprocedure is to obtain authorization by having the Individual, Parentand/or Guardian sign paper documents complying with HIPAA regulations.Typically these documents do not specify which organizations areauthorized to receive information from the organization with thedocument, they are not readily updated, and they do not address storageand updating of private information.

Referring to FIG. 2, Individual X 115 represents the Individual to beenrolled in an organization. I/P/G 104 may authorize (201) a specificorganization, Security Domain I 101, to provide service to Individual X115, and to gather and access private information. That is, SecurityDomain I 101 may acquire I/P/G A-X 202 to access private informationrequested to serve Individual X 115. Further authorizations (I/P/G A-X103) may also be allowed by I/P/G 104 for sharing of Secure Informationwith other authorized organizations, or authorization (UP/G A-X 203)providing access to Archived Information, or authorization for all ofthe services mentioned above (I/P/G A-X 205).

Embodiments of the invention may provide systems for authorizations tobe explicitly stored through user accounts, electronic signatures orscanned paper documents (204) so that UP/G 104 may control privateinformation access and sharing. Embodiments of the invention furtherenhance the authorization procedure by providing user accounts for I/P/G104. Such authorizations include the authorization requested for anorganization to provide service to the Individual and collect Privateinformation, the authorization to access and share private information,and the authorization to access and archive information. By allowingUP/G 104, or any combination thereof ongoing secure access to theseauthorizations, they may be reviewed and changed at any time.

Embodiments of the invention also deal with the situation where theIndividual, Parent, and/or Guardian terminates the Authorization, eitherby deliberate intervention or by going beyond the specified duration ofthe Authorization without renewing it. As soon as the Authorization isterminated, all activities regulated by the Authorization are no longerallowed by the system. Note that this does not mean the information isdestroyed, merely that the access and other authorizations related to itare terminated.

FIG. 3 illustrates the Regulator or Funder Service AuthorizationProcess. As part of the process of administering services, organizationsproviding services may obtain authorization to provide specific servicesfrom the regulating or funding organizations. To accomplish this, thedifferent organizations may engage in a process to reach agreement onservices to be offered while sharing private information securely.

Embodiments of the invention provide a secure system for the approval ofservice authorizations to be an integral part of the process ofaccessing, using, and sharing private information. Embodiments of theinvention allow for agents of the regulating or funding organization tohave these service authorization requests integrated with their ownworkflow even across many service organizations: notifying them ofpending requests for authorizations; providing a system for securecommunications to discuss and resolve differences, both within theirorganization, and with the funding organization, the Individual,Parents, and/or Guardians; providing a secure system for approvingand/or rejecting; recording the outcome of all discussions and/ordecisions; and sharing the approvals securely with the appropriateorganizations. The service provider may also have the authorizationrequest and approval process integrated with their work flow as well. Inaddition, when the Service Authorization has been approved, it may beautomatically integrated with the work flow of providing and billing forservices.

As shown in FIG. 3, an organization, such as Security Domain I 101, mayrequest for Service Authorization of Individual X 301. Alternatively,the request for service authorization (SA-X 307) may come from theIndividual, Parent, or Guardian or from within the regulating or fundingorganization. The agents may receive these requests (302). Whileprocessing the request SA-X 301 or SA-X 307, embodiments of theinvention check to see if the Service Provider has been authorized (303)by the Individual, Parent, and/or Guardian to support Individual X. Ifthe Service Provider is not authorized, the Service Authorizationrequest may be rejected (305). If the Service Provider is authorized bythe Individual, Parent, and/or Guardian, the Regulator or Funder mayconsider the Service Authorization (SA-X) 304 based on the informationprovided by the Service Provider and other information (306). Once theService Authorization SA - X 106 is approved, it may be stored in asecure database 306. To accommodate Funding and Regulatory agencies thatare not using the system, approvals may be entered in a variety ofmanners, including scanned signed documents and electronic signatures(306). When Regulators and Funders (107) access the system through useraccounts, embodiments of the invention enhances the process.

Embodiments of the invention may also deal with the situation where theFunder or Regulator terminates the Service Authorization, eitherexplicitly or by going beyond the specified duration of the ServiceAuthorization without renewing it. As soon as the Service Authorizationis terminated, all activities regulated by the Service Authorization areno longer allowed by the system.

FIG. 3 a is a sample of the Service Authorization form requested by anorganization such as Security Domain 1, an Individual, Parent, orGuardian, Regulators or Funders.

Users with the proper Service Authorization Role are able to log intothe system and select a program for which they want the authorization.Selecting the program may take the authorized user to the ServiceAuthorization page, as shown in FIG. 3 a. Embodiments of the inventionrequest the authorized user to fill in the appropriate information. AUser with appropriate roles may then either Save, Submit, or Approve theauthorization. Embodiments of the invention then store the informationin a secure database to conform to the privacy and security measures asrequested by HIPAA regulations, as well as other laws, regulations,standards, and/or policies.

FIG. 4 shows embodiments of the Mutual Business Agreement Process. Thisagreement may allow authorized users to securely share privateinformation of Individuals common to different organizations. Thus,embodiments of the invention may allow authorized users to shareprevious and current information on common Individuals. To initiate suchSecure Information Sharing of private information of Individuals commonto different organizations, the organizations, representing differentsecurity domains, may have a mutual business agreement among them.Embodiments of the invention may function with or without a mutualbusiness agreement; for example, a mutual business agreement may not beexecuted in a situation where composers enroll in a group which usesembodiments of the invention to share musical information amongcomposers.

Referring to FIG. 4, both the organizations, Security Domain I 101 andSecurity Domain II 102 are authorized by I/P/G 104 to support IndividualX and to share secure information of Individual X between theorganizations, I/P/G A-X 103 and I/P/G A-X 411, respectively. Theorganizations also may be granted Service Authorizations SA-X 106 andSA-X 108, respectively, by the Regulator or Funder (107) before enteringa new Business Agreement. Embodiments of the invention maintain theauthorization records (401 and 402) for each Security Domain to enforcethat sharing is limited to other security domains with which it hasvalid Business Agreements in effect. The system also maintains a historyof previous negotiations on Business Agreements which may be helpful infuture negotiations.

Embodiments of the invention allow authorized users, with a BusinessAgreement Role in one security domain, to initiate a business agreementwith another security domain in a secured communications environment. Asshown in FIG. 4, Security Domain I 101 (New Business AgreementRequester) requests a new business agreement process with SecurityDomain II 102 (New Business Agreement Responder) which enables theorganizations to share information on common Individuals. Before sendingthe request, embodiments of the invention may provide a system (403)that allows the organization to identify other organizations which havecommon Individuals, without revealing the identity of the Individuals,because the system may not allow them to share Private informationbefore the Business Agreement is approved. Security Domain I sends arequest for a new Business Agreement (BA) 404 to Security Domain II fora new Business Agreement. This request for a new Business Agreement isreceived (405) by Security Domain II 102. Embodiments of the inventionprovide a means of alerting the Responder, who has an appropriateBusiness Agreement Role in Security Domain II, of the request for a newBusiness Agreement.

Then Negotiations (406 and 407) between the two Security Domains mayoccur and so this invention may also provide a mechanism for securenegotiations between the two Security Domains. Upon negotiation of theterms, conditions, organizational policies, and other regulationsspecified in the requested agreement, the organizations Security DomainI 101 and Security Domain II 102 may mutually accept the BusinessAgreement (409) or reject it (410). Embodiments of the invention allowthe system's users to securely make the negotiations. Embodiments ofthis invention retain a history of negotiations in a secure database forfuture reference by Security Domain I 101 and Security Domain II 102.

When the Business Agreement (110) is mutually accepted, embodiments ofthe invention provide systems which may facilitate sharing of privateinformation of common Individuals ensuring compliance with terms,conditions, and regulations. That is, embodiments of the inventionprovide systems to assure that information (such as archived or current)are shared if the two organizations have a Business Agreement (BA 109 &BA 111) in effect between them—to satisfy HIPAA requirements or otherlaws, regulations, standards, and/or policies—and the Security Domainshave specifically activated authorized viewing of information by theother. Embodiments of the invention give the organizations greatercontrol over exactly which Individuals are involved, and exactly whatroles are permitted for users in one organization to access and useinformation from the other organization. It also provides theflexibility to manage information flow as requested by HIPAA or otherlaws, regulations, standards, and/or policies, for example, includingtracking the identity and times that users access protected information.

Embodiments of the invention also deal with the situation where one orboth organizations terminate the mutual Business Agreement, eitherexplicitly or by going beyond the specified duration of the BusinessAgreement without renewing it. As soon as the Business Agreement isterminated, sharing between the two organizations may be terminated bythe system. Embodiments of this invention may allow for information—forexample, information archived before termination—sharing to continueafter termination.

Embodiments of the invention allow sharing Individual personalinformation among different authorized users within an organization oracross organizations. It also allows systems to find common Individualsamong different organizations. Matching common Individuals may startwith having a proper Individual, Parent, and/or Guardian Authorization(I/P/G A), Service Authorization (SA), and a mutual Business Agreement(BA) in effect (if the organization executes such an agreement).

In FIG. 5, Security Domain I 101 and Security Domain II 102 representtwo organizations having a mutual Business Agreement (110) in effect.I/P/G A—X105 allows Individual X to be enrolled in Security Domain II102. Individual X is initially enrolled in Security Domain I 101.

While enrolling Individual X in Security Domain II 102 (501),embodiments of this invention may allow authorized users to check (502)if the Individual or Guardian has authorized the organization to shareprivate information of Individual X. If proper authorization is notfound, the procedure may end (505). However, when the Individual orGuardian is found to have appropriately authorized private informationsharing on Individual X (I/P/G A-X) 105, Individual X can then beenrolled (147). Then embodiments of the invention check (503) to seewhether Security Domain II 102 has any mutual Business Agreement(s) 111with other Security Domains. If the embodiment calls for executing amutual Business Agreement and no sharing domain exists, then SecurityDomain II 102 directly enrolls the Individual and no sharing—withrespect to that individual's information—occurs. If sharing domainsexist, embodiments of the invention provide means to search (503) forparticular security domains (for example, Security Domain I 101) withwhich Security Domain II 102 wants to share information on Individual X.Security Domain II 102 checks (506) if Individual X is enrolled inSecurity Domain I 101. Embodiments of the invention provide a system(514) for matching the Individuals based on unique identifiers such asName, Social Security Number, State ID Number, Birth Date and MedicaidNumber. If no match is found, the Security Domain II 102 directlyenrolls (507) the Individual. If a match is found, embodiments of theinvention provide means to send a request (508) to Security Domain I 101to share information between the two organizations on Individual X.

Today, these matches are typically identified by using a commonidentification number such as a Jurisdiction specific ID, or a SocialSecurity Number. Although these methods are available in embodiments ofthe invention, they tend to not work well across Jurisdictions, andSocial Security Numbers are not intended for this purpose. Embodimentsof the invention provide the unique ability to match across multipletypes of information to form a match, even when there are errors in datasuch as Birth Date, etc.

Embodiments of the invention allow Security Domain I 101 to be alertedwhen a request is received from Security Domain II 102 on sharinginformation about Individual X (509). While processing the request,Security Domain I 101 may request the system (514) for matchingidentities of common Individuals. The request may be processed andSecurity Domain I 101 may either accept (511) or reject (512) therequest to share information on Individual X. Embodiments of theinvention also provide the means to automatically accept or reject therequest, or to provide for manual intervention. Security Domain II maybe alerted of the acceptance or rejection of the request. On acceptanceof the request, the two organizations may start sharing information onIndividual X (135).

Embodiments of the invention also provide the means to automaticallynotify Security Domain II 102 that sharing has been accepted forIndividual X (513).

FIG. 5 a is a sample of the Individual Data Form that requestsinformation which facilitates embodiments of the invention to matchshared individuals. Users with appropriate roles log into the system toenroll an Individual via the enrollment process. The enrollment processrequests the user to input the Individual Data Form that has beendesigned to efficiently maintain essential information about individualsthe organizations support. As pointed in FIG. 5 a, it containsinformation such as ID number, Social Security Number (SSN), Birth Date,and Medicaid Number, all of which may uniquely identify the individualsenrolled. Embodiments of the invention use these identifiers to ensureaccuracy in matching Individuals that are/have been requested to beshared among organizations authorized for sharing.

Embodiments of the invention may allow for information sharing byallowing the system to match across multiple types of information. Thissystem may form a match based on names, or other partial information,even when there are errors in data other than the unique identifiers,such as Birth Dates, home addresses, etc. The matching system may befurther augmented to allow for minor errors, such as single digiterrors, or matching of some numbers are. In the case of severeambiguity, the user may be asked for more information; however, anyrequest is such that it does not violate, in the case of HIPAAinformation, the HIPAA privacy rights.

FIG. 6 illustrates the Caseload based security access system. In FIG. 6,Security Domain I 101 and Security Domain II 102 represent twoorganizations having Individual, Parent, and/or Guardian authorization,Service Authorization granted by the Regulators or Funders, and a mutualBusiness Agreement in effect. Individual X is enrolled in both theorganizations and shared between them. Referring to FIG. 6, embodimentsof this invention may provide systems to define user privileges inflexible ways. Individual X 115, Individual Y 119, and Individual Z 118are enrolled in Program I.2 117 within the organization Security DomainI 101. Individual X 115 is also enrolled in Program I.1 112 along withIndividual V 113 and Individual W 114. Both the organizations 101 and102 have the required detailed information of Individual X in IndividualData Form I.X 121 within Security Domain I 101 and Individual Data FormII.X 136 in Security Domain II 102.

As shown in FIG. 6, User I.A 129 in Security Domain I 101 has beenassigned the Standard Caseload 128 of one Individual in all programs.This may provide User I.A 129 access privileges on Individual X 115.This means that embodiments of the invention may allow User I.A 129 toaccess records of Individual X 115 irrespective of the programsIndividual X 115 is enrolled in. That is, User I.A 129 may access RecordI.X.2345 116 in Program I.1 112 and Record I.X.1234 120 in Program I.2117 of Individual X 115.

Referring to FIG. 6, User I.B 601 has been assigned a Super Caseload 604(i.e., a set of Standard Caseloads, as indicated by the combination ofdiagonal and horizontal shading) which provide access privileges onIndividual X 115 and Program I.2 117. Embodiments of this invention mayallow User I.B 601 to access records of all Individuals (includingIndividual X 115) in Program I.2 117 and other records of Individual X115 irrespective of the program Individual X 115 is enrolled in. Thus,User I.B 601 may be able to access Record I.X.2345 116 in Program I.1112 and Record I.X.1234 120 in Program I.2 117 of Individual X 115.

User II.F 142 in Security Domain II 102 has been assigned the Caseload141 of one Individual 147 in one Program 603. This may provide User II.F142 privileges to access information of Individual X 115 in Program II.1146, as indicated by the “shaded circle”. The Access Profile of DomainII 130 in Security Domain I 101 defines privileges for users in SecurityDomain II 102 to access information of Shared Individuals 135 in ProgramI.2 117 of Security Domain I 101. Embodiments of the invention havesystems to help determine the Shared Individuals among theorganizations, for example Individual X 115 and 147 in Security DomainsI and II, respectively. Through this system the Access Profile of DomainII 130 in Security Domain I 101 may allow User II.F 142 in SecurityDomain II 102 to have access privileges on Individual X 115 in ProgramI.2 117 in Security Domain I 101. Thus, User II.F 142 in Security DomainII 102 may have access to Record I.X.1234 120 in Program I.2 117 inSecurity Domain I 101 of Individual X 115, but not record I.X1234120.

With the Access profile of User II.G 139 in Security Domain II 102,embodiments of this invention may allow the user to have accessprivileges on the archived data 133 of Individual X 115 and 147.

FIG. 6 a is a sample of a screenshot where the users are assignedCaseloads to match their authorizations. A User with the appropriaterole may log into the system and select the Caseload to be created. Forexample, if Standard Caseloads on a program are to be assigned, theauthorized user may select the particular Program (from the list ofPrograms provided in the page) to which the Caseload is to be added andthen provide a Caseload Name. Clicking on Save may create the Caseloadand thus it may be saved in the system.

Caseloads specify which Individuals and which Programs a user is allowedto access information about. The actions a user is allowed to perform onthat information in an embodiment of the system is specified by SecurityAccess Roles, or just Roles.

FIG. 7 shows a schematic diagram of the basic functions andrelationships of Security Access Roles. The Roles determine thefunctions a user is permitted to perform on specified types ofinformation about an Individual.

For ease of explanation, Roles are grouped into three types: those thatapply to “plan” or “report” applications, those that apply to “data”applications, and those which may be common among the applications.Examples of “plan” or “report” applications are: Individual Data Formthat holds detailed personal information of an Individual, Event Reportswhich record different critical and sensitive information on events thathave taken place with an Individual, Behavior Plan, which illustrates aset of behaviors an Individual is likely to display, and IndividualSupport Plan, that is used to teach an Individual different tasks andrecord progress. Examples of “data” applications are: SecureCommunications to send different types of secure electronic messages tousers in a secure way, T-Log to inform other authorized users ofdifferent issues in the organization, Health Tracking to recorddifferent health information of Individuals, Behavior Event (optionallybased on the corresponding Behavior Plan) and ISP Data based on asession as described in the Individual Support Plan. Roles are assignedseparately for each application to assure that the user only has accessto the types of information and specific actions which are appropriatefor their job functions.

The Roles which may apply to “plan” or “report” applications are: Submit701, Review 705, Deactivate 704, Approve 706, and Follow-Up 708. A userwith a Submit Role 701 may enter new data, and then either Submit it forApproval or temporarily Save 702 it for further work. A user with aReview Role 705 may add Review comments, or return the plan to thesubmitter for further work. A user with the Approve Role 706 may modifythe submitted 703 plan, Approve it, or Return it to the submitter forfurther work. A user with the Deactivate Role 704 may take a submittedplan 703 mark it as deactivated and that plan will be placed in theUpdate History 710 and no longer show as a submitted plan 703. A userwith the Follow-Up Role 708 may end follow-up comments to approved plans707.

The Role which may apply to “data” applications is: Enter 712. Thesystem allows an authorized user with Enter Role 712 to enter suchinformation that requires no approval. Such information is referred toas the Approved plans 714 as soon as they are entered.

The Roles which may be applied to either type of application are: View718, Update 709, Send to Archive 711, View Update History 717, ViewArchive 716, Update Archive 719, and Emergency View 720. A user with theUpdate Role 709 may make a change to an Entered 713 or Approved 707record; the old version is stored in Update History 710, along with thetime and date of the change and the name and title of the user. Inaddition to Updates described above, information may be sent to theArchive 715 when (1) an Individual is enrolled in an organization forprolonged period, the old information is sent to archive to efficientlymanage all relevant information; or (2) any Individual leaves theorganization, embodiments of the invention allow storing of theindividual's information in an Archive 715. A user with the Send toArchive Role 711 may move data from the Approved 707 or Entered 713states into the Archived state so that it is no longer available to thenon-Archive Roles. A user with the View Update History Role 717 may viewcorresponding information in the Update History 710. A user with ViewArchive Role 716 may view and retrieve information from the Archive Data715. A user with Update Archive Role 719 may make updates to thearchived data; the old version is stored in Archived Data 715, alongwith the time and date of the change and the name and title of the user.A user having limited access to an Individual's information may be givenan extended authorization, e.g. Emergency View role 720, to access thatinformation depending on the degree of emergency.

Referring to FIG. 7, the flow of information across each state can bedescribed as follows: Authorized users may enter information on theIndividual and save the information for further modifications. Thesystem may ensure security by allowing such authorized users to save,submit, and review information on Individuals. As shown in FIG. 7, theinformation recorded on Individual may be entered and saved 702. If arecord has been saved 702, it may allow the originator to access andmodify it. If a record is submitted it moves to Submitted state 703where it awaits for approval. Embodiments of this invention have systemsto ensure that users with the Review 705/Approve 708 role are alertedwhen a report is waiting for approval. The user with the Approve role708 may then review the information and make necessary changes. Afterreviewing, the information may again be saved and submitted forapproval, or be directly approved by the approver.

Users with appropriate authorizations e.g. having a Deactivate role 704may also deactivate the submitted information if requested. Embodimentsof the invention allow such information to be stored in a securedatabase 710 for users with proper roles to access the information.

Embodiments of the invention provide systems to store approved (707)Individual information in a secure database 710 and to retrieve and viewthose information for further analysis or use.

FIG. 7 a is a sample of a screen shot which allows Roles to be groupedinto a Super Role that may be assigned to users. A Super Role is astandardized job classification or position. The figure shows the roleswhich are applied to particular applications in this embodiment of thesystem.

FIG. 8 is a sample of a screen shot where embodiments of the inventionallow a user with suitable authorization, a Data Administrator, forexample, to assign Super Roles and Caseloads to an authorized user toaccess the Therap System and may be created by combining one or more ofthe Roles provided by the system, to enable the authorized users tosecurely and adequately perform their tasks. A Data Administrator may beauthorized to create accounts for other appropriate users and assignroles and/or Super Roles to them. Once the Super Role is created, it isassigned by the Data Administrator to the authorized users. Thisassignment process requests the Data Administrator to click on the UserPrivilege link on FirstPage, select an authorized user from the listavailable and then reach the Assign User Privilege page. The DataAdministrator then selects and assigns the Caseloads to the user. Thebottom section of the Assign User Privilege page provides a record ofthe Super Role Name and Caseload Name that had already been assigned tothe user. Thus, embodiments of the invention provide a system thatallows assigning access privileges securely based on differentcombinations of Individuals, security domains, and other Caseloads,which streamlines the process for the authorized users to get privilegesbased on their preferences and needs. Also, authorized users may removespecific privileges for a user if the authorizations change.

Requirements for an implementation which embodies the inventiongenerally include resistance to failures in hardware, software andoperations, and other aspects of the system to ensure against the lossof data, as well as to provide a very high probability of being able toaccess the data at any time. To accomplish these objectives componentsof the system are replicated in proportion to their likelihood offailure.

FIG. 9 is a high-level overview of a sample of an implementation whichcould run an embodiment of the invention. The node 901 is connected tothe Internet 916 by one or more high-speed connections 917 to providereliable access. Individual Internet connections 917 are relativelyunreliable, and thus Internet routing technology 902 provides theability to automatically switch from one Internet access to another sothat users do not experience a failure in accessing the system becauseof a failure in the Internet connection 917.

The Internet 916 unfortunately allows many unwanted accessopportunities, and thus a set of firewalls 903, 906 are used to screenunwanted access. One aspect of providing communications is the abilityto send or receive messages of various kinds over the Internet and thusa message server 904 is required; this is software running on acomputing platform. Other types of messages are sent and or received viapagers, fax, and modems; to implement these additional servers 905 areused, and these also connect to the telephone network 912.

The remaining servers need to be further protected from harmful Internettraffic and thus another set of firewalls 906 and other protections areused.

The service is implemented using secure Web access, and thus Web servers907 are employed. Both because they are critical to providing theservices described in the invention, and also to provide capacity forhigh loads, multiple Web servers 907 are employed. Part of the functionof the firewalls, etc. 906 is to distribute the traffic to theappropriate servers 907, 909.

Another key aspect of implementing the system is the database server909. Similar to the Web servers 907, the database servers 909 arereplicated for reliability and capacity.

The most likely single failure in the hardware is a disk drive, so astorage array 911 is employed. A storage array 911 contains a largenumber of physical disk drives with several methods of replicating thedata across the individual drives. The combination of the storage switch910 and the storage array 911 assures that the Web servers 907 and thedatabase servers 909 can gain access to the data when needed. A storagearray 911 is designed for operation and even replacement of failed diskdrives and other components, such as power supplies and disk controllerswhile the storage array 911 is still operating, providing seamlessaccess to the data.

As part of the operations, especially in the case of emergency, wastemedications needs to be provided and thus there are telephones 913connected to the telephone network 912 including wired and wirelesscommunications.

None of the systems can operate without electoral power, and thusuninterruptible power supplies 914 are used. These are basicallybatteries with control circuits so they can immediately take over in thecase of loss or reduction in the electoral power. In the case ofextended power outage the uninterruptible power supplies 914 would notbe able to maintain power indefinitely, and thus a power generator 915is also included in the design.

Taken together these provide a very reliable platform for operating thesoftware to implement an embodiment of the invention. However, there isstill a possibility of a catastrophic failure, such as a major fire, andthus the data need to be stored elsewhere. One redundancy mechanism isperiodic for example daily, backup of the data to backup media 908.

FIG. 10 is a sample how redundancy across different physical locationscan be used to increase the reliability of an embodiment of theinvention.

For example a physical node 901 as shown in FIG. 9 could be implementedat Site 1 1001 and also at Site 2 1002.

Special software and operations 1004 are employed so that the data inthe storage array 1005 at Site 1 1001 and the storage array 1006 at Site2 1002 are continuously synchronized or “mirrored”. For example, a usermay enter data into the embodiment of the invention running on the nodeat Site 1 1001. Almost immediately the data is copied to the storagearray 1006 at Site 2 1002.

Now assume that there is a failure of some sort so that traffic is notable to access Site 1 1001. This could be due to any number of reasons,including the failure of the Internet access links 1010, or failure ofcritical hardware or software at the node at Site 1 1001.

The system detects this failure and uses the Internet routing capability1009, using the Internet routing components 1007, 1008. Internet trafficis now automatically routed over the Internet access 1011 to Site 21002. Because the data are already available in the storage array 1006at Site 2 1002 the user does not notice that any sort of failure hastaken place.

As a further caution against him multiple disasters, the backup media1012, which are recorded created, are stored at it a different site1003. In the case of catastrophic failure, the database could berestored to the point of the last backup from the fact that media 1012.

Taken together these types of taken techniques provide a very highlikelihood of not losing data permanently and of being able to accessand use the data at any instant.

This type of distributed implementation can be used in several differentways. More than two nodes can be employed to provide higher capacity andhigher reliability and availability. The physical and softwareimplementations at different nodes do not need to be identical as theyare relatively independent; the only requirements are that the Internetrouting capability 1009 and the database mirroring 1004 can operateamong the nodes. Thus it is possible for any node implementing anembodiment of the invention to be a very simple device, such as a singlecomputer with some associated equipment. And that implementation couldwork with other implementations, such as that shown in FIG. 9. It isalso possible that the nodes can be operated in widely separatedgeographical areas, and even in different nations, as long as theInternet routing capability 1009 and the database mirroring 1004 canoperate successfully over long-distance, the delays in synchronizationbetween the two databases 1005, 1006 may be delayed, but this can beaccounted for in the operation of the overall system. Further, it ispossible to have traffic from some users preferentially routed to onenode 1001, while other users are actually routed to another node 1002and still have the nodes backing up the overall database.

Thus the implementations described provide a very flexible mechanism forembodiments of the invention.

FIG. 11 is an overview of the system that allows Tracking Changes inInformation among Security Domains. Embodiments of the invention mayprovide systems that allow follow up of the changes brought about in theinformation being shared among the organizations.

In FIG. 11, Security Domain I 101 and Security Domain II 102 representtwo organizations having Mutual Business Agreement 110 (Mutual BA) ineffect. Both the organizations are authorized by the Individual, Parent,and/or Guardian 104 to support and share Individual X 115, enrolled inboth organizations, among them. Security Domain I 101 and SecurityDomain II 102 also have Service Authorizations (SA-X) 106 and 108granted by the Regulator or Funder 107 for Individual X 115.

Security Domain I 101 has Access Profile of Domain II 130 which includesa set of roles 131 that defines the extent of privileges a user inSecurity Domain II 102 may hold to access and share information oncommon Individuals 135 enrolled in both the organizations. Each time auser (either User I.A or User II.F) exercises a role depending onhis/her access privileges defined in the caseloads 128, 132 and 141,that activity is described in an Activity Tracking Log 1102, 1104.Specifically the date and time, the roles, the information accessed, andvarious information, referred to by 1101 and 1103, about the user arerecorded in an Activity Tracking Log 1102 in Security Domain I 101 and1104 in Security Domain II 102.

To maintain the consistency of information on shared common Individualsin both the organizations (Security Domain I 101 and Security Domain II102), embodiments of the invention allow systems to store theinformation securely and restrict its access. The information recordedmay be characterized as Confidential and Restricted.

For example, the Individual Data Form I.X 121 in Security Domain I 101comprises of detailed personal information on Individual X 115. It mayalso contain information that may be essential in special emergencysituations to Security Domain I 101, but may not associate to anIndividual directly. Such information is considered and thus markedconfidential because it may differ according to each organization'srequirement, which may depend on the internal operations of theorganizations. Thus, embodiments of the invention allow the informationto be stored and shared in a secure environment to maintain the privacyand accountability guidelines of HIPAA, as well as other laws,regulations, standards, and/or policies. The information that are markedRestricted comprises of extremely sensitive and confidentialinformation. Embodiments of the invention ensure that access to view ormodify such information is available to authorized users. Through theShared Access Profile the invention thus provides systems to securelyView and/or Update record on the common Individual information.Embodiments of the invention thus provide this security by keeping trackof every detail of actions performed on any data. Any access to thesystem or any action performed is logged noting User ID, time, date,data ID, and activity

FIG. 11 a is a sample screenshot of the records saved securely tofacilitate Tracking Changes in Information within and among SecurityDomains due to different users' activities. The records include UserLogin Name, Internet Protocol (IP) address—which is a unique number usedby computers to refer to each other when sending information through theInternet (note that with some types of Internet access, the IP addressof a computer may change from one session to another), ActivityType—which is the activity performed on information, Module Name —whichis the name of the application being used, Action, Form ID —which isIdentification Number of the form, Date and Time of the user's activity,Program —which is the service classification where information has beenchanged, and Comments. Authorized users may access the Activity TrackingLog. Embodiments of the invention may allow users from differentorganizations—which have appropriate agreements in effect—to share andaccess this information.

FIG. 12 illustrates embodiments of the Notification System through whichembodiments of the invention alert the users of specific events withinthe system for which they are authorized to have access.

In FIG. 12, Security Domain I 101 and Security Domain II 102 representtwo organizations having Mutual Business Agreement 110 in effect. AnIndividual X 115 is enrolled in both the organizations. This means thatboth Security Domain I 101 and Security Domain II 102 are authorized bythe Individual, Parent, and/or Guardian 104 to support and shareIndividual X 115 among them. The organizations also have ServiceAuthorizations 106 and 108 granted by the Regulator or Funder 107 forIndividual X 115.

Referring to FIG. 12, embodiments of the invention provide a systemwhich alerts the users of the actions they wish to perform on Individualinformation. Such an embodiment of this invention is the screen userssee when they log on to the system (“FirstPage”) 1201. This interactivepage may inform the users of what information is available for them andpermits them to select reports they wish to work on. This means that assoon as User II.F 142 logs in, the number of records 1202 to be acted onby User II.F 142 defined in each of the roles in User II.F AccessProfile 138 is displayed in User II.F's 142 FirstPage 1201. FirstPage1201 personalizes itself for each user. It lists all reports waiting forthe user to view or work on based on their authorized access to eachapplication, and the information on Individuals for which they areauthorized in the corresponding caseload. Note that FirstPage is securebecause it is only available after the user has log into the system, andonly shows information and actions for which that specific user isauthorized.

Notification may also be performed through other media. Embodiments ofthis invention allow for users to configure their Notification Profile1206 to meet their specific needs. This facilitates information sharingby ensuring that the authorized users are appropriately notified whencertain actions have been performed on information of Individuals forwhich the user is authorized. Embodiments of this invention may alloweach authorized user to personalize their notification profile accordingto their specific needs. This system is available on FirstPage 1201 forevery valid user, although it may be limited by the Data Administrator,and a default notification profile may be specified by the DataAdministrator for each Super Role.

As shown in FIG. 12, the Notification Profile system 1206 comprisesoptions that let the users select their own preferred way of receivingalerts. Embodiments of the invention allow users to choose the media1205 through which the user wants to be alerted. Some of these media arenot secure, so embodiments of the filter the information to assure thatno private information is sent over a non-secure media 1204; thusnon-secure media may receive only limited information compared with whatis sent over a secure medium. For example, the name of an Individualcannot be sent over a non-secure medium. The media available foralerting the users are, for example, Electronic Mail 1207 and 1208, Textmessaging 1209 and/or Alphanumeric Pager 1210. The users may also selectthe programs they want to be alerted of, as soon as relevant informationhas been recorded. Users may be alerted of different actions (such asSubmit, Approve, Delete, Return, Review, and Follow-up) that areperformed on reports of Individuals in the chosen programs. The usersmay also be alerted based on different degrees of notification level.

Embodiments of this invention provide systems to identify users whospecified to receive notifications of the performed action when certainactions have been performed 1203. The Notifications are sent via themedia the user has specified in the user's Notification Profile.Embodiments of this invention may also provide systems which ensure thatappropriate users are alerted of their actions on time and such messagesare secure and not malicious 1204. Embodiments of the invention mayprevent inappropriate information from being sent across non-securemedia. FIG. 12 a is a screenshot of the FirstPage. This diagramillustrates the scenario of how an authorized user receives notificationas soon as s/he enters the secure system. The arrow 12 a 01 indicatesthe number of tasks with level of emergency the user needs to View underthe module ‘T-Log’. Similarly the arrows 12 a 02, 12 a 03, 12 a 04, 12 a05, 12 a 06 and 12 a 07 indicate numbers that specify the number offorms and/or reports on which an authorized user is required to performhis/her authorized actions. Since FirstPage personalizes itself for eachuser, the number of reports waiting for the user to work on is based ontheir authorized access to each application, and the information onIndividuals for which they are authorized in the corresponding caseload.

FIG. 12 b is a screenshot of Notification Information. This displays thewebpage that allows an authorized user to enter information required bythe system in order to provide appropriate notifications to authorizedusers. Referring to FIG, 12 b the invention allows the system to sendnotifications to authorized users according to the users' choice ofnotification media. The notification media that the system allowsinclude Numeric Pager, Text Pager or Cell Phone, and Email.

FIG. 12 c is a sample of the records in the notification profile whichenable the system to securely alert authorized users of their services.Authorized users may configure their notification profiles according totheir preferences. To configure notification profile, the users choosethe appropriate application, from a list of applications they haveaccess to, for which they want to configure. As shown in FIG. 12 c, theusers then may view the Configure Notification Profile page where theyselect the type of media and the degree of urgency of each media typedepending on the user's needs.

FIG. 12 c, for example shows the application or module ‘General EventReports’ for which the notification profile may be configured. Thesection ‘Notification Events’ list the actions that are performed ongeneral event reports. The ‘Select Media’ section in

FIG. 12 c lists the media types such as Numeric Pager, Text Pager/CellPhone etc through which the system notifies the users. An authorizeduser then choose according to his/her preferences the notificationevents and the media type through which they want to receive thenotifications., For example, an authorized user chooses the option ‘Yes’for the Notification Event ‘Submit’. Under Select Media the user thenchooses the option ‘Medium’ beside the event ‘Injury’ under the media‘Text Pager/Cell Phone’. This means that the user is choosing to benotified through cell phone whenever a ‘Submit’ action is performed forthe event ‘Injury’. Choosing the notification level to be ‘Medium’indicates that the user chooses to receive notifications of only thoseactions whose notification level is ‘Medium’ or ‘High’. Thus the user isalerted of the authorized activities in the system appropriately. Hence,embodiments of the invention provide a system that enhances theefficiency of the user's work by immediately alerting the user aboutactions needing attention.

FIG. 13 is an overview of embodiments of the invention which provideSecure Access to Archived Data in the system.

With the business agreement and proper authorizations in place,embodiments of this invention may allow users in the security domains toaccess Archived Data 133 of Individual X 115, 147. Embodiments of thisinvention provide systems to facilitate the archiving of data ofIndividuals when an organization chooses to send old data to archive tolimit access. When an organization ceases to provide services to anIndividual the records of the Individual may also be archived for futureuse and sharing.

Users with the proper roles may be allowed to access the archivedinformation of Individuals. A user with an Update Archive Role mayaccess appropriate records and update the information. With View ArchiveRole a user may view archived data 133 and copy data from the archiveinto an active record. Users with Send to Archive role may transferspecified data they have access to in the Archive.

As shown in the example in FIG. 13, User I.A 129 in Security Domain I101 and User II.F 142 in Security Domain II 102 may be able to accessarchived information 133 of common Individuals - Individual X 115, 147.With the proper roles 127, User I.A 129 may send Record I.X.1234 120 toArchive 133, and User II.F 142 may in turn may access the Archived Data113 and transfer it into an active record (Record II.X.1234 1105) inSecurity Domain II 102.

FIG. 13 a is a sample of screenshots of the pages which enableauthorized users to share and access Archived Data in a secureenvironment. The sample in FIG. 13 a (I) shows the list of archivedapplications that may be available to users as per their roles andprivileges. Clicking on a link allows an authorized user to enter a page(FIG. 13 a (ii)) where they may search for archived data by Program,Individual Name, Form ID and Archive Date. Based on the criteriaselected, a user with appropriate privileges can then view a list ofrecords showing the archived information on the selected Individuals, asshown in FIG. 13 a (iii). Referring to FIG. 13 a (iv), users may then beable to view detailed information on the appropriate Individuals byclicking on one of these records. Embodiments of the invention allowusers with appropriate roles to view, update, and send data to archivesin a secure environment.

FIG. 14 is an overview of embodiments of the Emergency Access features,which allow users to access certain Individual information in emergencysituations.

In emergency situations staff members in an organization may not haveaccess to certain information of Individuals which may be urgentlyneeded. With the normal access privileges, users may not be able toaccess records beyond the privileges given by their Caseloads and Roles.The Emergency Access features may facilitate users in urgent situationsby enabling them to gain access to selected information beyond theirnormal access privileges.

Embodiments of this invention provides a specific Emergency Data Formapplication to provide access to information which is typically neededin emergency situations, while releasing only a limited amount ofprivate information. The Emergency Data Form is automatically updatedwhen corresponding information is changed in any other application. Insome cases it is desirable or required to have a printed version of theemergency information. Embodiments of the system may provide a role sothat an authorized user is notified whenever the information on anIndividual's Emergency Data Form changes so that they can print out acopy of the new version.

Referring to FIG. 14, Embodiments of this invention provide EmergencyAccess given to users in two different ways: Limited-Duration EmergencyAccess 1402, and Ongoing Emergency Access Role 1403 for a specified timeinterval. The only Role for the Emergency Data Form is the View Role1408. Thus a user may be granted access to only this limited informationabout an Individual. This is appropriate for emergency servicespersonnel, for people within the same organization who do not normallyaccess information about this Individual, and for people in otherorganizations who may work with the Individual, but do not normally haveaccess to information about the Individual in the Security Domain.

The Emergency Data Form View Role 1408 may be given to users as a normalpart of working within a security domain. For example, selected users inorganization may be given the Emergency Data Form View Role for aCaseload which comprises all the Individuals within the Security Domain,even though there normal Roles are limited to a subset of theIndividuals and Programs.

Embodiments of the system also permit the Emergency Data Form View Role1408 to be applied for sharing between Security Domains I 101 and II102. In this case the Individuals to which it applies are limited toShared Individuals 135, which in turn requires that the Security Domainshave Individual/Parent/Guardian Authorizations (I/P/GA-X), ServiceAuthorizations (SA-X), and a mutual Business Agreement (mutual BA). Thusthere is a significant difference between an emergency access privilegesprovided as a user in the Security Domain versus one that is implementedthrough information sharing among Security Domains.

A Limited Duration Emergency Access 1402 account may be created by anappropriately authorized Data Administrator. When an emergency occurs, auser may gain access to this account in various ways. For example,someone desiring access, such as emergency services personnel, cancontact an appropriate person in the corresponding security domain toobtain the information required to access the emergency account.Alternatively, the emergency services organization may have the accessinformation on file and only use it in cases of an emergency. The DataAdministrator may identify the access accounts, for example, using thename of the emergency services or organization, or the name of specificpotential users, such as a Fire Chief or the Commissioner of Division ofDevelopmental Disability Services (DDDS).

When an account is first used, embodiments of the system may permit theSecurity Domain to display specific information to the user, and mayrequire questions to be answered by the user before the account can beused. For example, the user may have to signify that they have read andunderstood the displayed text; also the user may have to enter data suchas the user's name, organization affiliation, and position. These arethe challenges a user faces referred to in FIGS. 14 as 1404 and 1405.Embodiments of the system allow a Data Administrator to specify that anaccount may be deactivated after its first use, a given number of uses,or a period of time.

Referring to FIG. 14, embodiments of this invention may therefore allowUser I.A 129 to access Record I.X.2345 116 of Individual X 115 inProgram I.1 112. Emergency Access may also apply to Shared 135 orArchived Data 133 for Individuals 135 in the users' Caseloads (128, 132,141, and 144). Therefore, embodiments of this invention may also allowUser II.F 142 to access Record I.X.1234 120 in Program 1.2 117. Theseprivileges are given to users with the proper Emergency Access roles1408.

A Data Administrator can choose to be notified as stated in 1406, whenan account is first used, or when an Emergency Data Form View Role isused. A Data Administrator may track the actions of any account as theyoccur, for example as shown in FIG. 11 a. The Data Administrator maydeactivate the account at any time, including while the account is inuse. Thus a Data Administrator has considerable flexibility in creatingand managing a Limited Duration Emergency Access 1402 account, and useof the Emergency Data Form View Role 1408.

FIG. 14 a is a sample of the FirstPage showing the Emergency Data FormRole. The Emergency Data Form has been designed to display theIndividual information that is commonly requested to carry outactivities in emergency cases. As shown in FIG. 14 a, authorized usershave only Emergency Form View Role that allows them to access, view, andif necessary print the information about the Individual'sIdentification, Contact, Medical, and Insurance within a secureenvironment. With the aid of such information, embodiments of theinvention facilitate the system to recognize authorized users inemergency situations, and may control their access to other information.

FIG. 15 is a sample of Additional Shared Security Features that enhancesprivacy in sharing.

Each Security Domain involved in sharing common Individual informationhas its own Password Policy, specifying variables to define thepolicies. As shown in FIG. 15, authorized users in SecurityDomain—Provider A may define their organization's own Password Policyspecifying the limitations of the variables. Thus, embodiments of theinvention allow each provider to set their own password policy tomaintain secure information sharing.

Embodiments of the system may include requirements of the passwordpolicy configuration, as shown in FIG. 15: the minimum length of thepassword, the minimum number of uppercase letters, the minimum number ofdigits, the minimum number of other characters, the maximum number ofincorrect password attempts before the account is locked, the timeframein which the password attempts are measured, the expiration date of thepassword, and the starting day of warning a user before expiration ofthe password.

FIG. 15 a is a sample of other Additional Shared Security Features thatfacilitates in information sharing by providing privacy and security byenabling a Data Administrator to manage all of these security accessfeatures.

As shown in the figure, embodiments of the invention provide eachSecurity Domain the privilege to define (1) Super Roles —defining theextent of roles, (2) Caseloads—defining who may have what privileges onwhich program and/or individual, (3) Sharing—sharing individualinformation among organizations, (4) Archiving—storing individualinformation that may be shared by organizations having appropriateagreements, and (5) Emergency characteristics that may be used tocategorize the system's actions.

Referring to FIG.15 a, the arrow 15 a 01 refers to the module ‘SecureCommunications’ which is a secure E-mail system provided to authorizedusers. The system allows the users through Secure Communications tosecurely exchange Personal Health Information (PHI) and otherconfidential information in compliance with HIPAA. The arrow 15 a 02refers to roles and super roles that define the extent of userauthorization. The arrow 15 a 03 refers to the module ‘Access Control’that is designed to restrict the user privilege. The arrow 15 a 04refers to the module ‘Security’ that allows authorized Security Domainsor organizations to configure their password policy. Through thismodule, the system also tracks the time and date each activity is takingplace within the system. The arrow 15 a 05 refers to the module‘Archived Data’ that stores all the old data that had been modified orupdated by authorized users. The modified information are not onlystored but also can be retrieved and viewed in future for further use.

FIG. 16 is an overview of embodiments of the Security Monitoring andAuditing system for Shared Access which enhance privacy and security ofIndividual information as requested by HIPAA regulations and guidelines.

Security Domain I 101 and Security Domain II 102 represent twoorganizations that have the Individual, Parent, and/or Guardianauthorizations 103 and 105 to support and share information of commonIndividuals among them. The organizations have been granted serviceauthorizations 106 and 108 by the Regulator or Funder 107. Theorganizations also have a new mutual business agreement 110 in effect.

Referring to FIG. 16 Individual S 1401 is enrolled in both the programsProgram II.1 146 and Program 11.2 1601 in Security Domain II 102. Inaddition, Program II.1 146 has Individual R 1001 and Program 11.2 1601has Individual T 1602 and Individual U 1603 enrolled, in Security DomainII 102. Each organization under the agreement has a Sharing AccessProfile 130 and 1605 of the other.

Security Domain II 102 has the Access profile 139 of User II.G 145allowing the user to have access privileges 144 on the archived data 133of Individual X 115. Security Domain II 102 also has Access Profile 1605of Domain I 101 that allows users to access information on Program II.21601 in Security Domain II 102 and thus share information on commonIndividuals among the organizations Security Domain I 101 and SecurityDomain II 102.

In order to wholly comply with, inter alia, HIPAA security regulationsand guidelines on health information of Individuals, embodiments of theinvention keep track of every access to the system. Systems are providedto track every detail of actions performed on any data. Any access tothe system or any action performed is logged, including Archived 133 andShared 135 access, noting User ID, time, date, data ID, and activity.All the activities of staffs may be carefully monitored to ensure thatinformation has been shared and accessed as permitted by theirprivileges. Security Domain staff with proper authorizations may benotified of all activities as specified in their profiles.

In addition, embodiments of the invention provide systems tocontinuously monitor all activities for suspicious patterns. Anyundesired actions by authorized or unauthorized people may notify theappropriate security domain staff and Therap Services, who may takedirect action that includes disabling user accounts, freezing selecteddata, or terminating the privileges of a Security Domain.

FIG. 16 a is a sample of the pages which enable systems for SecurityMonitoring and Auditing for Shared Access. Organizations withappropriate agreements in effect share individual information that issubject to change by authorized users. To provide data consistency whilesharing individual information, embodiments of the invention providesystems that record detailed information about the activities of theauthorized users to ensure security and privacy. Embodiments of theinvention allow a system Activity Tracking that stores information aboutthe authorized users to track down the user's activities on the system.The screen on the left of FIG. 16 a is the Activity Tracking page thatshows records of the users' login name, Internet Protocol (IP) address,activity type, module name, action, date and time, and programs. Thesedata may assist in tracking down the causes of changes in informationwhen requested.

In order to comply with, inter alia, HIPAA regulations, the system alsomay monitor all activities to detect any suspicious patterns asmentioned in 11603 in FIG. 16. The system administrator is authorized totake direct actions against acts that violate the health related lawsand regulations. The right side of FIG. 16 a represents a page User Listwhere the user Admin has the privilege to disable any user accounts, iffound to be performing activities accounting against, for example, HIPAAregulations, by clicking on Deactivate on the right side of each user'srecord. Thus, embodiments of the invention ensure privacy and securitywhile sharing individual information within and across organizationshaving Mutual Business Agreement and appropriate authorizations ineffect.

FIG. 17 illustrates the Secure Shared Information Access where theIndividual, Parent or Guardian acts as the Primary Security Domainmanager.

Embodiments of the present invention provide secure sharing of privatehealth information across organizations in accordance with HIPAA andother security regulations.

As shown in FIG. 17, Security Domain I 101 represents the Individual,Parent or Guardian 104 acting as the Primary Security Domain managerhaving service authorizations 106 and 108 from Regulators or Funders 107that define the services which can be supplied for the Individual.Security Domain I 101, being an Individual, Parent and/or Guardian 104themselves, does not require Individual or Guardian authorization, thusmaking the secure Individual information sharing more flexible. SecurityDomain II 102 represents an organization that has a valid Individual,Parent or Guardian Authorization 108 to store or access privateinformation about the Individual, and also to share information withanother organization or Parent/Guardian 104 acting as a serviceprovider. In order to share common Individual information among theservice providers, they must enter into a Business Agreement 110, whichcomplies with privacy, and security regulations in accordance with HIPAAand other state laws.

Referring to FIG. 17 Individual X 115 represents an Individual who isserved by both security domains, Security Domain 1101 and SecurityDomain II 102. Both the security domains have the required detailedinformation of Individual X 115 in Individual Data Form I.X 121 andEmergency Data Form I.X 122 in Security Domain I 101 and Individual DataForm II.X 136 and Emergency Data Form II.X 137 in Security Domain II102. In Security Domain I 101, Individual X 115 is enrolled in twoservice Programs, termed as Program I.1 112 and I.2 117. The sameIndividual in Security Domain II 102 is enrolled in Program II.1 146.Each security domain under the agreement has a Sharing Access Profile130 and 1605 of the other. This invention includes innovative mechanismsto identify common Individuals and their corresponding healthinformation that is to be shared.

Embodiments of this invention include mechanisms allowing authorizedusers in one organization to access Individual information underdifferent security domains within that organization. Authorized users inSecurity Domains I 101 and II 102 are assigned access privileges orroles that control users' access to specific Individual information.Access privileges define the extent to which a user can access and/orperform actions on Individual information. This invention includes aninnovative mechanism, Caseloads (128, 132, 141, 144, 604, 1607), whichallow the Security Domains I 101 and II 102 to specify accesscapabilities of the user on a combination of one or more programs,Individuals, program-Individual pair, or other predefined caseloads.This capability ensures flexibility and facilitates the privacy andsecurity mechanisms by allowing users to have privileges for only oneIndividual or several Individuals not aligned with the conventionalprograms or for users who have privileges only for one Individual.

As shown in FIG. 17, the Individual, Parent and/or Guardian 104, beingone of the Security Domain managers, will gain complete access andcontrol on the Individual information securely within the homelyenvironment. This revolutionary act gives them the privilege to beinformed of all the actions performed on the Individual information in asecure environment. This invention facilitates Security Domains I 101and II 102 by ensuring security and privacy in sharing and manipulatingIndividual information in compliance with HIPAA regulations and otherstate laws.

Referring to FIG. 17, User I.A 129 and I.B 601 are authorized users inSecurity Domain I 101, and User II.F 142 and User II.G 145 areauthorized users in Security Domain II 102. Each will have similar ordifferent access profiles under the security domains they are in. UserI.A 129 in Security Domain I 101 has access privileges on Individual X115. This means that the invention will allow User I.A 129 to accessrecords of Individual X 115 irrespective of the programs s/he isenrolled in. That is User I.A 129 can access Record I.X.2345 116 inProgram I.1 112 and Record I.X.1234 120 in Program I.2 117 of IndividualX 115. User I.B 601 has access privileges on Individual X 115 andProgram I.2 117. This invention will allow User I.B 601 to accessrecords of all Individuals (including Individual X 115) in Program I.2117 and other records of Individual X 115 irrespective of the programs/he is enrolled in. This will allow User I.B 601 to access RecordI.X.2345 116 in Program I.1 112 and Record I.X.1234 120 in Program 1.2117 of Individual X 115. However, Security Domain I 101, being theIndividual, Parent and/or Guardian 104, comprises of only oneindividual‘3Individual X 115.

User II.F 142 in Security Domain II 102 has privileges to accessinformation of Individual X 115. The Access Profile 130 of Domain II 102in Security Domain I 101 defines privileges for users in Security DomainII 102 to access information of common Individuals in Program I.2 117 ofSecurity Domain I 101. The invention has mechanisms to determine thecommon Individuals across the organizations. Through this mechanism theAccess Profile 130 of Domain II 102 in Security Domain I 101 will allowUser II.F 142 in Security Domain II 102 to have access privileges 141 onIndividual X 115 in Program I.2 117 in Security Domain I 101. Thus UserII.F 142 in Security Domain II 102 will have access to Record I.X.1234120 in Program I.2 117 in Security Domain I 101 of Individual X 115.

Access profile 139 of User II.G 145 in Security Domain II 102 will allowthe user to have access privileges on the archived data 133 ofIndividual X 115. Archived data 133 of Individuals include records thatare updated or changed, or the old data that an organization chooses tosend to archive. When an organization ceases to provide services to anIndividual the records of the Individual can also be archived for futureuse and sharing. Authorized users, given appropriate archive roles, canaccess and retrieve information from the archived data of Individuals.

1-34. (canceled)
 35. A method of granting at least one user in at leastone first organization access to at least one individual's informationwithin at least one second organization, comprising: storing theindividual's information within the second organization, forming anaccess agreement between the first and second organizations, storing, bythe second organization, of said access agreement in an authorizationprofile, requesting authorization for said user to access to theindividual's information within the second organization, retrieving saidauthorization profile, and acquiring authorization for said user toaccess the individual's information within the second organization ifsaid access is authorized by said access agreement.
 36. A method ofgranting at least one user in at least one first organization access toat least one information structure within at least one secondorganization, comprising: storing the information structure within thesecond organization, forming an access agreement between the first andsecond organizations, storing, by the second organization, of saidaccess agreement in an authorization profile, requesting authorizationfor said user to access to the information structure within the secondorganization, retrieving said authorization profile, and acquiringauthorization for said user to access the information structure withinthe second organization if said access is authorized by said accessagreement.
 37. A method as in claim 35 wherein said access agreement isformed between at least two organizations through an intermediateorganization.
 38. A method as in claim 37 wherein said intermediateorganization is a service bureau.
 39. A method as in claim 36 whereinsaid access agreement is formed between at least two organizationsthrough an intermediate organization.
 40. A method as in claim 39wherein said intermediate organization is a service bureau.
 41. A methodas in claim 35 wherein the request for access is a request to view theinformation.
 42. A method as in claim 35 wherein the request for accessis a request to modify the information.
 43. A method as in claim 35wherein the request for access is a request to save the information. 44.A method as in claim 35 wherein the request for access is a request tosubmit the information.
 45. A method as in claim 36 wherein the requestfor access is a request to view the information.
 46. A method as inclaim 36 wherein the request for access is a request to modify theinformation.
 47. A method as in claim 36 wherein the request for accessis a request to save the information.
 48. A method as in claim 36wherein the request for access is a request to submit the information.